tomchop · @tomchop
707 followers · 94 posts · Server infosec.exchange
"But plaso/logt2imeline are hard to install! 😭", I hear you cry.
Here's how to set up aliases and get it running in under 2 seconds using the official Docker containers 👇🏻 # DFIR #plaso #log2timeline #docker #forensics
#plaso #log2timeline #docker #forensics
Wes Lambert · @weslambert
358 followers · 45 posts · Server infosec.exchange
🦖Day 83 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Server.Utils.BackupGCS/S3
Link:
https://docs.velociraptor.app/artifact_references/pages/server.utils.backupgcs/
https://docs.velociraptor.app/artifact_references/pages/server.utils.backups3/
----
These artifacts are server monitoring artifacts that will watch for flow completions, then zip and send the results to Google Cloud, or an S3 bucket, using the 'upload_gcs()' and 'upload_s3()' functions.
https://docs.velociraptor.app/vql_reference/plugin/upload_gcs
https://docs.velociraptor.app/vql_reference/plugin/upload_s3
----
Once uploaded, the collections can be left alone and remain archived, or special post-processing can be applied using third-party tools, depending on defenders' needs.
@eric_capuano and @shortxstack (@recon_infosec) did an excellent job presenting about using these artifacts with Timesketch to generate a timeline of events.
If you haven't already, be sure to check out their presentation from @SANS #DFIR Summit 2021!
https://www.sans.org/presentations/breaches-be-crazy/
----
That's it for now! Stay tuned to learn about more artifacts! 🦖
#velociraptor #artifactsofautumn #dfir #forensics #infosec #plaso #threathunting #Timesketch